IBM Support

Users Getting Multiple Copies of the Same Email in M365 with Mimecast Email filtering

How To


Summary

The issue is a known problem in environments using Mimecast for email security in conjunction with Microsoft 365 (M365).

Per Microsoft, inbound emails that are scanned by Mimecast and held for attachment review (resulting in the initial notification email with the subject "We sent you safe versions of your files") can sometimes trigger duplicate deliveries of the released email to the user's mailbox.

These duplicates often retain the original timestamp and may arrive simultaneously or after a delay (e.g., hours, days, or weeks).

This has been reported by multiple organizations, particularly in forums like Reddit, where IT administrators have shared similar experiences.

Objective

Potential Causes

Based on user reports and Mimecast's own troubleshooting guidance, the duplication typically stems from one or more of the following:

- Microsoft Defender for Office 365 Safe Links scanning: Mimecast has attributed this to Safe Links (part of Defender) "detonating" or automatically clicking the attachment release link in the held email to verify its safety. This action can be misinterpreted by Mimecast as a user request, prompting it to re-release and re-deliver the email.

- Email forwarding and lack of user authentication: If the held email is forwarded internally (e.g., to another user or shared mailbox), and the recipient clicks the release link, Mimecast may not properly identify the clicker. Without proper authentication, it assumes the request comes from the original recipient and sends the duplicate to them.

- Intermittent scanning by other tools: Third-party integrations or M365's built-in anti-phishing/ATP (Advanced Threat Protection, now Defender) policies could intermittently trigger the release if not properly bypassed or excluded.

- Configuration mismatches: Changes in M365 policies (e.g., default anti-phishing rules) or Mimecast settings can exacerbate this, especially if bypass rules for Mimecast aren't fully effective.

NOTE: Please know this isn't universal!  It tends to be intermittent and affects only certain emails with attachments or URLs, which aligns with your case description. It wasn't commonly reported before Mimecast integration, as previous filters (e.g., Darktrace) handled attachments differently.

Reported Solutions

Several affected companies have resolved this through targeted configurations.  

Environment

M365

Steps

1. Enable TTP User Enrolment in Mimecast:

   - Navigate to Account Settings > User Access and Permissions > TTP Authentication in the Mimecast Administration Console.

   - Enable "TTP User Enrolment" (Targeted Threat Protection authentication). This sets a cookie to authenticate who is clicking release links, preventing misattribution in forwarding scenarios.

   - Why it helps: It ensures Mimecast knows the exact user requesting attachments, reducing duplicates from internal forwards. Multiple reports confirm this fixed the issue, especially when emails were being forwarded and the onward recipient triggered the release.

2. Exclude Mimecast from M365 Safe Links Scanning:

   - In the Microsoft Defender portal, go to Policies & Rules > Threat Policies > Safe Links.

   - Edit your Safe Links policy and add exclusions for Mimecast domains/URLs (e.g., .mime cast web site or specific release link patterns like those in held emails).

   - Alternatively, create a transport rule in the Exchange Admin Center to bypass Safe Links for emails from Mimecast IP ranges (e.g., set SCL to -1 for bypass).

   - Why it helps: This prevents Defender from auto-clicking release links, which Mimecast interprets as a re-request. Disabling Safe Links globally isn't recommended, but targeted exclusions (e.g., for your domain) have resolved simultaneous duplicates in some cases.

3. Verify and Adjust Bypass Rules:

   - In the Exchange Admin Center, review Mail Flow > Rules. Ensure there's a rule to bypass spam/ATP filtering for inbound emails from Mimecast IPs (e.g., set "Sender IP addresses are in these ranges" to Mimecast's regional IPs and apply "Bypass spam filtering").

   - Check Mimecast logs for the duplicate emails—look for loopback addresses (127.0.0.1) in headers, which indicate internal re-processing.

4. Additional Troubleshooting Steps:

   - Check Email Headers: In M365 Threat Explorer or Outlook (View > Message Header), compare headers of originals and duplicates. Look for extra hops or indicators of scanning (e.g., from Defender or Mimecast). This can prove if Defender is involved.

   - Test Forwarding Scenarios: Replicate by forwarding a held email internally and having the recipient release attachments—monitor for duplicates.

   - Monitor for Patterns: Track if duplicates correlate with specific senders, attachment types, or times—this could point to policy triggers.

Additional Information

If these don't resolve it, consider auditing recent M365 changes (e.g., via the Unified Audit Log) for policy updates that might have started the issue. In the reports, enabling TTP enrolment often provided the quickest fix, with no recurrence after implementation. If you're seeing this across multiple companies, it may indicate a broader integration quirk between Mimecast and M365 that requires these tweaks for stability.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSWBPX","label":"Microsoft M365 Platform"},"ARM Category":[{"code":"a8mKe000000004GIAQ","label":"M365 Platform"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
23 September 2025

UID

ibm17245951

Page Feedback